Automated audit: This issue was generated by NLPM, a natural language programming linter, running via claude-code-action. Please evaluate the findings on their merits.
About NLPM
NLPM is a natural-language programming linter for Claude Code plugins. It audits .claude/ artifacts (commands, skills, CLAUDE.md files) against a 50-rule quality standard and a security pattern database. Scores are on a 100-point scale; the default quality threshold is 70.
This audit was run on 2026-04-12 against 78 NL artifacts using a progressive scan strategy.
Overall NL Score: 82/100 — above threshold, solid quality.
Bugs Found (9 total — all in speckit commands)
All 9 speckit command files in .claude/commands/ are missing the name frontmatter field required by Claude Code for command registration. Without it, Claude Code cannot correctly identify these commands in the command palette.
| # |
File |
Issue |
Impact |
| 1 |
.claude/commands/speckit.taskstoissues.md |
Missing name frontmatter |
Command may be silently dropped or misidentified |
| 2 |
.claude/commands/speckit.analyze.md |
Missing name frontmatter |
Same |
| 3 |
.claude/commands/speckit.checklist.md |
Missing name frontmatter |
Same |
| 4 |
.claude/commands/speckit.clarify.md |
Missing name frontmatter |
Same |
| 5 |
.claude/commands/speckit.constitution.md |
Missing name frontmatter |
Same |
| 6 |
.claude/commands/speckit.implement.md |
Missing name frontmatter |
Same |
| 7 |
.claude/commands/speckit.plan.md |
Missing name frontmatter |
Same |
| 8 |
.claude/commands/speckit.specify.md |
Missing name frontmatter |
Same |
| 9 |
.claude/commands/speckit.tasks.md |
Missing name frontmatter |
Same |
Security Findings (Medium × 2, Low × 2 — no Critical/High)
| # |
Severity |
File |
Finding |
| 1 |
Medium |
commands/run-act-test.ps1 |
Invoke-Expression with dynamically-assembled string — injection surface if .env values contain PowerShell metacharacters |
| 2 |
Medium |
commands/generate-release.ps1 |
Commit messages written to markdown without escaping; $repoPath derived from untrusted origin remote |
| 3 |
Medium |
Plugin startup (McpServerManager.cs) |
Server binary downloaded from GitHub releases without checksum/signature verification |
| 4 |
Low |
commands/update-unity-mcp-server.ps1 |
Latest-version NuGet resolution replaces pinned versions silently |
| 5 |
Low |
commands/run-act-test.ps1 |
.env file with Unity credentials has no file-permission enforcement |
Note: Finding #3 (binary integrity) is the highest practical risk — a silent replacement of the Unity Editor MCP server binary during download. We have not filed a PR for this because it requires changes to C# code (McpServerManager.cs) that we did not want to touch without a direct conversation with maintainers. Happy to discuss the recommended fix (SHA256 verification against a .sha256 release asset).
PRs Submitted
Quality Notes (informational — no PRs)
The 64 plugin skills in Unity-MCP-Plugin/.claude/skills/ and the 9 speckit commands all lack model and allowed-tools frontmatter. These are quality issues (not bugs) and we have not filed PRs for them. Adding them in bulk would raise the NL Score from 82 to approximately 90. The most impactful candidates are the reflection and script-execution skills, which have elevated Unity Editor access and would benefit from explicit tool permission boundaries.
The project is genuinely well-structured — the cross-component references (speckit ↔ scripts, plugin skills ↔ MCP tool registry, version files ↔ bump script) are all intact and consistent. The exemplary unity-skill-create/SKILL.md (score 90, includes C# code sample and pattern documentation) is a great template for the rest.
Thank you for building and maintaining this project — it's a thoughtful integration of Unity and Claude Code.
About NLPM
NLPM is a natural-language programming linter for Claude Code plugins. It audits
.claude/artifacts (commands, skills, CLAUDE.md files) against a 50-rule quality standard and a security pattern database. Scores are on a 100-point scale; the default quality threshold is 70.This audit was run on 2026-04-12 against 78 NL artifacts using a progressive scan strategy.
Overall NL Score: 82/100 — above threshold, solid quality.
Bugs Found (9 total — all in speckit commands)
All 9 speckit command files in
.claude/commands/are missing thenamefrontmatter field required by Claude Code for command registration. Without it, Claude Code cannot correctly identify these commands in the command palette..claude/commands/speckit.taskstoissues.mdnamefrontmatter.claude/commands/speckit.analyze.mdnamefrontmatter.claude/commands/speckit.checklist.mdnamefrontmatter.claude/commands/speckit.clarify.mdnamefrontmatter.claude/commands/speckit.constitution.mdnamefrontmatter.claude/commands/speckit.implement.mdnamefrontmatter.claude/commands/speckit.plan.mdnamefrontmatter.claude/commands/speckit.specify.mdnamefrontmatter.claude/commands/speckit.tasks.mdnamefrontmatterSecurity Findings (Medium × 2, Low × 2 — no Critical/High)
commands/run-act-test.ps1Invoke-Expressionwith dynamically-assembled string — injection surface if.envvalues contain PowerShell metacharacterscommands/generate-release.ps1$repoPathderived from untrustedoriginremoteMcpServerManager.cs)commands/update-unity-mcp-server.ps1commands/run-act-test.ps1.envfile with Unity credentials has no file-permission enforcementPRs Submitted
Quality Notes (informational — no PRs)
The 64 plugin skills in
Unity-MCP-Plugin/.claude/skills/and the 9 speckit commands all lackmodelandallowed-toolsfrontmatter. These are quality issues (not bugs) and we have not filed PRs for them. Adding them in bulk would raise the NL Score from 82 to approximately 90. The most impactful candidates are the reflection and script-execution skills, which have elevated Unity Editor access and would benefit from explicit tool permission boundaries.The project is genuinely well-structured — the cross-component references (speckit ↔ scripts, plugin skills ↔ MCP tool registry, version files ↔ bump script) are all intact and consistent. The exemplary
unity-skill-create/SKILL.md(score 90, includes C# code sample and pattern documentation) is a great template for the rest.Thank you for building and maintaining this project — it's a thoughtful integration of Unity and Claude Code.